The resignation this week of the U.S. Office of Personnel Management’s chief information officer, in the wake of massive breaches revealed last year, highlights the perilous task CIOs face as guardians of an organization’s data from an onslaught of cyber attacks, industry analysts and security experts say.

Donna Seymour, who resigned as OPM’s CIO on Monday, said she had worked to make the agency a federal government “leader in cyber response” according to an internal email to agency staff.

Since joining the agency in December 2013, Ms. Seymour said, she and her team turned an “array of aging systems” into a more “modern, secure environment, while simultaneously putting into place new tools, procedures, and processes to better protect our existing legacy systems.”

At least two data breaches at the agency in 2014 exposed personal information on some 21.5 million current and former federal employees and their families, including security-clearance details dating back 15 years, the agency reported in July.

Ms. Seymour’s resignation comes just days before she was set to appear before a congressional hearing into the data beaches. That hearing has since been postponed, government officials said.

Katherine Archuleta, the agency’s director at the time, stepped down weeks after the breaches were revealed, amid calls for her resignation by lawmakers in both political parties.

Many had since called for Ms. Seymour’s resignation.

Rep. Mark Meadows (R., N.C.), chairman of the House Oversight and Government Reform Subcommittee on Government Operations, said Ms. Seymour’s departure was an “important turning point at an agency plagued with mismanagement and negligence at the highest level,” in a statement.

Likewise, Rep. Will Hurd (R., Tex.), chairman of the IT Subcommittee for Oversight and Government Reform, said Ms. Seymour had failed to “heed the advice contained in numerous reports by the Inspector General” regarding cyber threats, and that “her refusal to follow best practices and take responsibility initially is an insult to those compromised.”

Following a 2013 breach of customer data at Target Corp., “a precedent was set that top leaders of a breached company or organization will be let go,” Forrester Research Inc. principal analyst John Kindervag told CIO Journal. “This is really about protecting boards of directors and others higher up in the organization, but it does provide a good set of incentives around the importance of data security,” he said.

“The real question is why did it take so long for someone to be held accountable,” for the OPM breaches, said Neil MacDonald, vice president of research firm Gartner Inc. “While the breach may not have been prevented, it should have been detected and stopped long before that sizeable amount of OPM data was lost,” he said.

Doug Robinson, executive director of the National Association of State Chief Information Officers, agreed that Ms. Seymour should be held accountable for the breaches, since she failed to adequately respond to security deficiencies that were pointed out by auditors prior to the data breach.

But, he added, there’s an ongoing debate over whether cyber attacks have become an inevitable “fact of life” in IT departments, and how much blame should fall on CIOs who fail to prevent them. “We have a lot of security incidents that are caused by employees” opening emails or downloading infected files, he told CIO Journal. “It’s difficult to hold CIOs responsible for incidents caused by employees.”

Indeed, others defended Ms. Seymour.

“It’s because of Donna and her team’s actions that OPM identified the cyber breach of its systems,” U.S. Chief Information Officer Tony Scott said this week in a statement. “In the subsequent weeks and months, they worked tirelessly to remediate the situation and embarked on the hard and necessary work to further improve the state of IT at OPM,” he said.

Rep. Elijah Cummings (D., Md.), ranking member of the House Oversight and Government Reform Committee, said efforts to blame the attacks on Ms. Seymour were “unfair and inaccurate” and set a “terrible precedent that will discourage qualified experts from taking on the challenge our nation faces in the future.”

Alan Charles Raul, a partner at Sidley Austin LLP, said in today’s environment organizations can have tough cybersecurity measures in place and still get hacked. “The world of data breaches is full of scapegoats, and CIOs tend to lead the herd,” he said.

Content from our sponsorDeloitteCIO Insights and Analysis from Deloitte

Capitalizing on successful innovation typically requires agility and the ability to rapidly address customer demands. While legacy on-premise technology can be an obstacle, the cloud often opens the door to new ways of improving customer service, responding more quickly to market conditions, and even rethinking the business.

Please note: The Wall Street Journal News Department was not involved in the creation of the content above.More from Deloitte →